Timeline for Why do some people really hate security via client-side?
Current License: CC BY-SA 3.0
18 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 23, 2019 at 1:11 | comment | added | Cano64 | This would have the same effect as storing passwords in plaintext. | |
| Feb 4, 2018 at 11:41 | history | protected | Rory Alsop♦ | ||
| Mar 27, 2014 at 2:03 | comment | added | Anti-weakpasswords | I'll let the answers address the general question, but to make your two proposals even remotely similar (i.e. someone at the server doesn't get to see the client's authentication token), then Server side step 3 needs to ALSO be client side step 4. Further, "hashes" is incorrect at step SS3, the new CS4, and very likely at CS2 as well; applies a standard password hashing function is what is required - BCrypt, SCrypt, or PBKDF2 with as large a work factor/iteration count as possible under peak load. Additionally, the salt in all cases must be random and long (8-16 bytes). | |
| Jul 12, 2012 at 17:52 | answer | added | Jason Smith | timeline score: 1 | |
| May 15, 2012 at 12:55 | answer | added | user9651 | timeline score: 1 | |
| May 26, 2011 at 12:57 | answer | added | Marcin | timeline score: 3 | |
| May 26, 2011 at 8:09 | history | edited | AviD♦ | edited tags | |
| May 18, 2011 at 22:05 | comment | added | crazy2be | I always assumed that at least part of the reason was accessibly. Your second example relies on javascript, and would not work for clients without js support. However, i'm interested to see why this would be a bad idea from a security standpoint. Over HTTP at least, I would assume this would at least somewhat increase the "security", since compromising the session does not immediately yield the user's password (which they likely use for other sites). | |
| May 18, 2011 at 18:40 | answer | added | Brendan Long | timeline score: 10 | |
| May 18, 2011 at 18:36 | vote | accept | Incognito | ||
| May 18, 2011 at 18:32 | answer | added | rook | timeline score: 38 | |
| May 18, 2011 at 17:24 | history | tweeted | twitter.com/#!/StackSecurity/status/70902625670922240 | ||
| May 18, 2011 at 15:46 | answer | added | bethlakshmi | timeline score: 16 | |
| May 18, 2011 at 15:45 | answer | added | Rory Alsop♦ | timeline score: 14 | |
| May 18, 2011 at 14:20 | comment | added | zedman9991 | This may help stackoverflow.com/questions/1380168/… | |
| May 18, 2011 at 14:15 | answer | added | Bruno | timeline score: 8 | |
| May 18, 2011 at 14:12 | answer | added | Stephen Paulger | timeline score: 6 | |
| May 18, 2011 at 13:52 | history | asked | Incognito | CC BY-SA 3.0 |